» Installer.exe
Overview
Analysis
File Details
Downloads (1)
Network (2)

Installer.exe

Installer

Nerd Tabs LLC

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application Installer.exe by Nerd Tabs has been detected as adware by 23 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from d32k27yvyi4kmv.cloudfront.net. While running, it connects to the Internet address www.ibbalance.com on port 443.

File name:

Installer.exe

Publisher:

Nerd Tabs LLC (signed and verified)

Product:

Installer

Version:

1.0.0.0

MD5:

04a023b3967434b858d74b7877488c87

SHA-1:

0a89c140d9dbb178d2f184202eae813d3d694554

SHA-256:

c5c87a532a0ffd2477f8866b8e87dd7adba6031a03ad91a2740c7c8199b12c03

Scanner detections:

23 / 68

Status:

Adware

Explanation:

Uses the InstallBrain monetization platform from iBario to deliver bundled adware both search toolbars and PC optimizers from Performersoft.

Description:

This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:

5/8/2024 11:42:48 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Application.Generic.908489

686

AegisLab AV Signature

AdWare.W32.InstallBrain

2.1.4+

avast!

Win32:IBryte-FT [PUP]

2014.9-141210

AVG

Downloader

2015.0.3264

Baidu Antivirus

Adware.MSIL.iBryte

4.0.3.141210

Bitdefender

Application.Generic.908489

1.0.20.395

Comodo Security

ApplicUnwnt

20103

Dr.Web

Adware.Searcher.2716

9.0.1.0344

ESET NOD32

MSIL/Adware.iBryte (variant)

8.10849

Fortinet FortiGate

Adware/IBryte

12/10/2014

F-Secure

Application.Generic.908489

11.2015-20-03_6

G Data

Application.Generic.908489

15.3.24

IKARUS anti.virus

not-a-virus:AdWare.MSIL.Agent

t3scan.1.8.5.0

K7 AntiVirus

Unwanted-Program

13.185.14042

Malwarebytes

Trojan.MSIL.Injector

v2014.12.10.02

McAfee

Artemis!96892A6E1557

5600.6920

MicroWorld eScan

Application.Generic.908489

16.0.0.237

NANO AntiVirus

Riskware.Win32.BPlug.djpkri

0.28.6.63850

Qihoo 360 Security

HEUR/QVM03.0.Malware.Gen

1.0.0.1015

Reason Heuristics

PUP.Bundler.Adknowledge

15.3.20.19

Sophos

Generic PUA PO

4.98

Trend Micro House Call

Suspicious_GEN.F47V1113

7.2.344

VIPRE Antivirus

iBryte

34844

File size:

200.9 KB (205,704 bytes)

Product version:

1.0.0.0

Original file name:

Installer.exe

File type:

Executable application (Win32 EXE)

Bundler/Installer:

Adknowledge Fusion

Common path:

C:\users\{user}\downloads\installer.exe

Digital Signature

Signed by:

Nerd Tabs LLC

Authority:

GlobalSign nv-sa

Valid from:

11/6/2014 11:06:23 PM

Valid to:

11/7/2015 11:06:23 PM

Subject:

CN=Nerd Tabs LLC, OU=IT, O=Nerd Tabs LLC, L=Los Angeles, S=California, C=US

Issuer:

CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:

11214970685444EA564782B9D78C5544B747

File PE Metadata

Compilation timestamp:

12/9/2014 3:03:30 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

3072:lasMAeCC0KrK4REQ8r2TvtpC3hWtz3gebotsg2z4hqr+nKlmLgfd:lfI0KO4CZr2TvzCR0DTbBzMKBlmUfd

Entry address:

0x30D1E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

187.5 KB (192,000 bytes)

The file Installer.exe has been seen being distributed by the following URL.

http://d32k27yvyi4kmv.cloudfront.net/.../Installer.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to www.softologic.com (174.37.181.31:80)

TCP (HTTP SSL):

Connects to www.ibbalance.com (173.192.190.227:443)

Remove Installer.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.